Page 19 - CDM Cyber Warnings November 2013
P. 19
Keep it focused: At least one of these requirements was written in an operational form rather
than a security requirement form. The Controls would be best suited if they stuck to a single
perspective (security requirements on operational processes) rather than try to be a chameleon.
For more details on this Control - including a numbered list containing each requirement, its
description, and my notes pertaining to the requirements – refer to the full analysis here.
Administrative Privileges
In a Nutshell:
Automation Is Your Friend: The plain truth is that you’re not going to manually enumerate and
double-check your user base every day or even once a week. Automate as much as you can.
If your base toolset doesn’t help you, then break out that shell programming book and get ready
to get your hands dirty. But don’t just report – report with trending and changes – that means
you’re going to need to save your output for the next run.
Be An Enforcer: Not the kind you find on the ice. The kind that doesn’t bend the rules for
anyone. If your users are having a hard time remembering il#VMNnAY/j, then spring for
1Password or teach them how to use Password Safe - there are probably others.
Think Seriously About Two-factor Authentication: There’s a recommendation in this Control
that Administrative access should always use two-factor authentication. That’s a good strategy.
But why not apply that for all of your users? Not just when accessing the VPN, but all the time?
I’m sure it’s a cost/resource issue, but we’re pretty well overdue for this.
Areas for Improvement:
Stay Focused: There weren’t many (one is enough), but some of these requirements should be
found elsewhere. For example, any of the password-related requirements could easily be left to
Control 16 (Account Monitoring and Control). When similar requirements exist in more than one
place, you’re asking for document maintenance headaches at best and user confusion at worst.
Get Rid Of Reversible Instruction: If any password guidance is kept in this Control, then at
least remove any allowance for reversible encryption.
Address Operational Concerns Over Technical Concerns: I feel that many of these
requirements simply don’t address what really needs addressing – the operational process of
granting, maintaining, and removing administrative privileges. Instead, this Control seems a lot
like Control 16, but slightly tailored for Administrators. The reality is that most everything for
account and credential management is the same, so this Control should just concentrate on
what’s different.
For more details on this Control - including a numbered list containing each requirement, its
description, and my notes pertaining to the requirements – refer to the full analysis here.
19 Cyber Warnings E-Magazine – November 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
